What principles are employers obliged to follow to ensure that personal data is handled correctly?

Employers are obliged to adhere to the data protection principles set out in the UK General Data Protection Regulation (retained from EU Regulation 2016/679 EU) (UK GDPR). These state that employers must:

  • process personal data lawfully, fairly and in a transparent manner (which means that personal information must not be obtained or used unless one of a limited range of legal grounds for processing applies);
  • obtain and process data only for specified, explicit and legitimate purposes;
  • ensure that data is adequate, relevant and limited to what is necessary in relation to its stated purpose (ie collect and store only the minimum information necessary);
  • ensure that data is accurate and kept up to date and take every reasonable step to ensure that data that is inaccurate is erased or rectified without delay;
  • not keep data for longer than is necessary for the purpose for which it is processed; and
  • process data in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.

Employers must be able to demonstrate their compliance with these data protection principles under the UK GDPR.